There was one player Sammy Sosa who had for years conducted interviews in English who suddenly could not speak English when questioned by congress.
This seems to mirror whats going on at Equifax now. The executives only way of staying out of jail is to claim that they suddenly have no idea what's going on not only in their company but in the case of the IT people, also in the very division they are supposed to be running.....
Time for Matt Levine to update his rules of insider trading to add rule 11, if caught insider trading after a a security breach don't try and claim that you as a C Level executive don't know whats going on in your own company.
Since the benefits of such contracts often dwarfs the value they receive from trading it should help 'remind' them of what they did and didn't know. But they should not be allowed to have it both ways.
Though, I don't know if it's even gonna be an option on the table.
It's a small world where everyone knows one another and I rub your back so you rub mine.
Cause it sounds like you're testifying that you're just not doing your job in any meaningful capacity, and I should be able to include that as a fact in a civil suit, since you swore in public record that it was the truth.
Forcing them to testify that they didn't fulfill their duties to the shareholders in order to not be responsible personally for the breaches may introduce enough liability all on its own.
They ask if an opened suit can possibly succeed. That is what "can I sue" means colloquially, one hundred percent of the time.
So, if they testify that they knew - they're liable.
If they testify that they didn't know, and SEC can prove otherwise - same as above + perjury.
If they testify that they didn't know, and SEC cannot prove otherwise, then at least it is treated as them confirming their incompetence. So if they get, say, a bonus later, or a "golden parachute" for outstanding service on retirement, that is treated as evidence contradicting their claims.
Either there's enough evidence to convict those execs of crimes, or there isn't. If there's not sufficient evidence for that, then how can you suggest that the government should still have the authority to have them punished?
Clearly it doesn't apply to non US governments but the government of the United States has all of the tools already at their disposal to unilaterally implement just this sort of policy.
The policy question is a bit deeper than that, governing is ideally equal parts carrot and stick, and when there is clear evidence of a harm (and there is in this case) where it is impractical for the citizen to prosecute their own defense (could be debated either way) then the last line of defense for the citizen is the enforcement by their collectively empowered authority. That is perhaps the fundamental source of authority for any government.
And a fine/penalty for not doing their job and putting so many lives at stake. They should literally be driven down to middle class mediocrity for their negligence.
There has to be some example set for future transgressions.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
The people need to reign in the corporate interests of the world. Companies are already larger and more powerful than governments. People should be freaking out. This event just underscores that need.
That seems like a dangerous, slippery road with a lot of unintended side effects.
This is why it's important we not allow laws to be passed with the assumption that overly broad permission grants are OK, because they'll only be used 'correctly'.
Do you know how stressful it is being questioned? I was waiting to pick someone up from a train station in Spain when security approached to tell me the station had closed, and why was I still there. All the Spanish went out my head. I imagine being questioned by congressional investigators is probably even more stressful.
I was once on a jury in California in a case where several witnesses gave testimony through a Spanish interpreter. It seemed clear that some of the witnesses who testified through the interpreter were fluent in English, and so it seemed a little gratuitous to me at the time. Later on I understood that it made sense both for reducing the stress in the situation and for avoiding any minor linguistic misunderstandings in cross-examination that a lawyer might try to make a big deal out of. It's quite possible that the lawyers encouraged their witnesses to use the interpreter.
It sounds like a bad idea all around.
I'm more concerned that the persecution, understanding how stressful the situation is for me and how not being a native speaker I wouldn't necessarily be familiar with legalese or very formal lexicon, uses it against me to extract a confession due to my confusion, than I am that the nuances would be lost through an interpreter.
I speak English with the police, even for trivial things where I'm the one requesting service, like when I lost my wallet. That is not a context where I want to get anything wrong, and where there is absolutely nothing to be gained from showing off what I learned in language class.
Though to be fair, the Sammy Sosa anecdote was more for humor than anything else. Oddly it turned into a comment that got 50 upvotes.
I appreciate the response, I think you've flipped my thinking on this:)
> Also, though, I found it hard to imagine that those Equifax executives were consciously insider trading. It would just be too dumb. Equifax's press release reporting the breach says that it "discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion," though it didn't announce it until yesterday because it was still investigating. The three executives filed Form 4s reporting sales on Aug. 1 and 2, days after the discovery. You could just about imagine them learning of the security breach, panicking, and selling everything -- except that they didn't sell everything. One sold about 4 percent of his stock holdings, another about 9 percent, another about 13 percent. Why do such comically obvious insider trading if you're only selling a small percentage of your stock? And indeed the company explained that these executives "had no knowledge that an intrusion had occurred at the time." I guess the time between "tech person discovers a security breach" and "top executives discover it's a huge embarrassing crisis" is more than a couple of days.
That's exactly right. I can imagine the gradual motion up the chain of command, with the progress actually slowing down as the size of the breach and potential exposure becomes more and more apparent, and each level trying to minimize the damage. I'd have hated to be the guy that had to tell the CEO...
It's better for them that they don't know anything until they know everything.
"The guy that had to tell the CEO" (actually woman) was one of the two parties who resigned the other day.
But that was a very specific (and again, regulated) industry.
When did the company learn of this incident?
"We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review."
The trades in question took place between three and four days later. During this time, Equifax would have us believe, these three senior managers were kept in the dark about the fact that hackers had undertaken what may be the largest-ever private security breach right under their noses. Moreover, we’re to understand that even the chief financial officer remained unaware as the company “acted immediately” to right the ship.
Because then it makes it look innocuous and fools those who would scrutinize the behavior, like it did may have for anyone expressing the above opinion. It would be so blindingly damning to sell-off all of one's holdings, but selling off a small portion could allow for partial benefit of your asset at peak value before it declines.
If it were me, I'd do it exactly this way. I'd be trying to find the perfect intersection of mitigating the upcoming asset value decline and maximizing perceived innocuousness. Selling everything? That'd be a sucker's move.
(I hate myself for having written that but ugh Too damn much tit-for-tat.)
I think in this case the execs are going down. I will be shocked if we don't see some jail time after this is all done.
Hire a lawyer, no interviews with the FBI, but "me know nothing" might be a problem if they got memos on the breach, attended meetings, drew up plans on dealing with the fallout etc. It's hard to keep such a secret, especially from the top level execs.
> ... discovered a security breach on July 29...
> ... sold shares worth almost $1.8 million in early August...
> ... didn’t know of the breach at the time
You're the president of U.S. information solutions and you didn't know about the largest information breach in your company's history a week later?
If that's true, that speaks more to the problems in this company than the actual breach itself.
> Trey Loughran leads the company’s United States Information Solutions (USIS) business, which includes U.S.-based services that provide businesses with consumer and commercial information and insights related to areas of risk management, identity and fraud, marketing and other industry-specific solutions.
He would definitely be in the loop regarding a breach of this nature.
At my consulting firm, the execs in charge of our cybersecurity consulting practice are absolutely not involved in any internal cybersec investigations that happen to our own firm. In fact, we have specific procedures which say that our cybersecurity consultants cannot be involved with internal incidents. All internal investigations have to be done by outside, impartial firms.
For sure, an investigation will be forthcoming and, in this country, one is innocent until proven guilty. But it seems, in my opinion, exceedingly likely that we'll find an email or text or some bit of ephemera notifying these people of the breach.
If not, well, I will eat my hat.
I also wouldn't be surprised if he did know, but just wanted to emphasize these BigCo org charts tend to be insanely big and complicated. At the senior levels you may not talk to or see your boss for weeks; especially when some big shit like this is being uncovered. So totally possible he knew nothing.
Everyone seems to have reached conclusions about this on very suspicious circumstances, but almost zero facts.
I realize this may seem like mob-mentality or mob-rule but there's some nuance here. When you see such gross negligence do you wait until hearings and court judgements which can easily take years before voting with your wallet?
The way to "opt-out" is to never use credit.
In most of the US it's against code to live in an apartment without electricity. In order to get electricity, you have to open an account with a utility, who opts-in to submit all your data to Equifax.
Their Workforce Solutions division does the same thing with employment data-- so simply by applying for a job from a participating employer, you're consenting to ultimately let the employer report that you work for them, what your current salary is, your SSN and all the rest of the juicy PII.
Fall on hard times? Need some government assistance? Applying for food stamps will also result in your state agency making an inquiry with Equifax to confirm your location of residence and last reported income. If you didn't have a profile before, you do now.
There is no way to opt out unless you work for yourself, live in a home you paid cash for, generate your own power/gas, and never use credit. So basically Unabomber life.
I'm already trying to figure out how to push locally for dropping SSNs from processes, no matter how Sisyphean it feels.
For me personally, the trading issue is a related but separate incident; one hasn't crossed the same threshold of clear evidence.
Prejudging their guilt isn't favorable and we should avoid doing it as a commitment to our legal system but people would have to ignore their eyes to come to the conclusion that this isn't what it looks like.
A few years back, it seemed that a huge number of people were willing to give President Obama, and even Lois Lerner, a pass on illegal actions of the IRS based on exactly this theory: it's the responsibility of the manager to know what their underlings are doing.
And I don't mean to pick on just Obama. Ronald Reagan, patron saint of the GOP, skated on just such a thing with Iran-Contra. They got Oliver North to be a scapegoat and insulate Reagan and Bush.
So if you're wanting blood from the Equifax execs, think about who you've given a free pass to before.
Constructive knowledge really only holds in corporations (and I'm not an attorney but I think it holds in organized crime organizations as well). And it was enhanced with Sarbanes Oxley which was passed in the early-2000s.
Also, I'm under the impression that federal prosecutors appear very reluctant to actually use it in court and where they do use it, they usually have more direct evidence of wrong doing. However, I get the sense that prosecutors know it exists and the Justice Department under Obama did use it to extract those massive fines from banks (albeit with no admission of wrong doing, a get out of jail free card for the criminals in the firm, and the firms that retained Eric Holder's law firm seemed to get more favorable settlements).
Wouldn't it be more accurate to say that we have n-1 facts? (or n-3, one for each person)
I wonder if the 2600 number is significant or just a coincidence.
with an investor conference call on the morning of Thursday, July 27.
Any public company I've worked at has had a trading window that opened a day or two after an earnings report came out, with most people who want to trade trading early in that window. Admittedly I've never been an executive and I don't know how the rules differ for execs, but the dates when these trades took place are when I would expect Equifax employees to execute options and sell stock.
It also strikes me as possible that information about a security breach discovered on the weekend might not make its way up the company hierarchy for a few days, and that execs might not have been aware of it when they traded.
I do think this should be investigated by the SEC, but I'm a little disappointed at the rush-to-judgement in this thread.
Then again, was any part of the breach actually criminally negligent? Maybe this is the only real way that the DoJ even can go after Equifax...
Edit: for example, there is the fedramp set of compliance rules.
We've got the FBI and other law enforcement agencies for that aspect, not that I'm optimistic that anyone will really be held accountable.
From the limited descriptions I've read of the architecture of the Equifax system, someone needs to go to prison.
Now, based on my experience, it's entirely possible that the July 29th "discovery" date only refers to the date on which some security analyst noticed abnormal behavior. That, combined with the possibility that Equifax doesn't have good security communication practices in place, it easily could have been a few days (or even weeks) before the security team looked into it enough to know the size of the breach and escalated it up to the C-suite.
Whether the executives in question knew of the breach at the time they sold is irrelevant to whether the company, in allowing this sale to occur, misled the investors who bought those shares since the company, at the time of the sale, had awareness of the breach.
Disclaimer: I am not a lawyer. This is not legal advice. Do not ever insider trade.
I was reading a book published in 2008 called “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity”.
The main bad guy lobbyist of that book, Eric Ellman, who is now the head of the credit reporting lobbyist group (http://www.cdiaonline.org), PROUDLY DISPLAYS his portrayal in that book on his LinkedIn.
He basically doxxed himself.
How can anyone believe this bullshit anymore. That website was out of date by 1996. It looks so bad. They don’t care at all.
It doesn't sound believable to me that the managers could be unaware of the hiring of an external security firm, or that the company had shut down one of their major web applications.
The CFO is the one that is a little iffy, because the CFO might be involved in the hiring of the external firm. However, having worked for security consulting firms, it's also entirely possible that the CISO is given a blank check for this type of stuff without having to get CFO approval. I've worked in plenty of organizations doing cybersecurity work where the C-suite (including CIO, CFO, etc) was completely unaware we are there because they don't have to rubber stamp every single transaction.
It's also a possibility that the 8/2 date on which they "contacted" the firm was just when discussions started between the two parties, and it might have been a few days before a contract was ironed out enough to involve the CFO or anyone else.
There's a bunch of other possibilities/scenarios in which I think it's entirely believable that they didn't know. It's shady and worthy of investigation, yes, but I'm not willing to convict them just yet.
It doesn't do anyone any good if you release a statement as soon as you notice abnormal behavior that just says "we might have been breached and our customers may be affected, but we don't know who is affected and we don't know how it affects them yet".
The US needs a DPA, or at least its residents do. The government couldn't care less.
Equifax officer: "uh.."
They will scrape through all their texts, emails, call logs. Someone will screw up somewhere. If they are dumb enough to provide a "SSN API" - I am sure their texts are a hilarious treasure trove. An easy slam dunk case.
> Equifax officer: "uh.."
- "To buy a vacation home...".
- "But why now?"
- "Prices are going up so seemed right to jump in"
The question can they reasonably refute that they didn't hear anything about the breach. If it has to be proven beyond reasonable doubt the lawyers might think they can convince a jury. They could say they were on vacation maybe and didn't receive any communication about. It is just that their cousin happens to be the college buddy of another exec but that might be tricky to prove.
I realize they're examples, but if there really is a high index of suspicion...
"So which realtor have you been working with? Presumably your browser history will show hits to real estate sites, too..."
"Vacation? Very nice. I'm sure you have boarding passes or credit card receipts from hotels..."
Maybe not too believable but to suggest they would have no answer at all is a bit naive.
Maybe because I don't work at a "pure" tech company, but a few coworkers have commented that they had to sign up for credit protection with sort of a shrug attitude. They don't realize how negligent Equifax was here or what the impact is going to be for the rest of their lives.
Congress and the various regulatory bodies will take their pound of flesh. The CEO/Chairman will keep his job. Maybe MAYBE the President of USIS and/or the CFO go to jail for insider trading.
On the surface the security folks don't have great credentials...I kind of wonder if the CEO chose his subordinates specifically to take the hit in a data breach situation like this.
^ This! They sure have shuffled the CIO and CISO out of the conversation quickly.
I'm sure you can be a perfectly competent CISO with two degrees in music composition and ten years experience, but they sure don't want us to hear about it if we haven't already.
I've been through an acquisition before and promoted and put into the position of "potential fall guy" where my name went on official documents, and there wasn't a budget for more people or things we needed. If we lost medical records to hackers, I'd expect to answer some uncomfortable questions!
But they are actively erasing information about these people from the internet, when lots of us want to have a closer look.
What happened to failure as a learning experience? Retired effective immediately? Come on, those two people will never make that same mistake again!
Also, if there was a "bad vibe" at the company, but they didn't specifically know about the breach, would that be insider trading?
Unlike crimes like murder, insider trading is not predicated on intent, so proving intent is unnecessary.
(Unless it required other, non-public data to know that the bug was important)
It seems to create a false sense of security, that people inside the company aren't going to do bad things. Many people have made their fortunes on some degree of insider trading that they wouldn't have made otherwise.
Wouldn't the markets be more efficient without this mirage?
An analogy: It'd be like playing online chess for money, without any way to stop your opponent from using a computer to make their moves. Or like the Olympics where some people are allowed to use performance enhancing drugs.
After a very short time, most everyone will have left the market.
There's also no more reason to legalise insider trading than murder or burglary. The prevalence is very likely to be at an all-time low currently, because the statistical methods used to spot insider trading in market data have improved dramatically. Some quant funds also flag suspicious trades as a sort of by-product of their work and share that data with the authorities.
Isn't this legal for members of the United States Congress? I can't recall the specifics, but seem to remember some special exemption for them from insider trading rules.
I agree that the timing of these sales looks really bad. However, I've heard that these guys are executives with an enormous amount of stock and the sales were for a small percentage of their overall stake. If they were intentionally breaking the law to avoid losses, wouldn't they sell all or most if it? Was most of their stock not vested and they just dumped what already vested? Or is the claim that it was a small percentage of their stock not true?
Since it is a criminal probe the prosecutor would have to prove beyond reasonable doubt they knew? It would seem the executives who believed they could officially refute seeing the information would have done this. Some might have contacted their lawyer maybe and asked "ok so I overheard it in the hallway as I was leaving on vacation, didn't open my email or get any calls about it, what do you think, could I slide by and sell".
In general what is the conviction rate for insider trading. It seems in general a hard thing to prove.
Regarding your question: insider trading is pretty well-policed. Conviction rate isn't really meaningful (but I'd estimate it's well above 3/4). What would be interesting is the rate of discovery, which is unfortunately impossible to know, because it's a "victimless" crime: nobody knows they've been harmed, and therefore it's impossible to find instances of insider trading without (usually) also finding the culprits.
But it's a pretty good guess that prosecution of insider trading is better today than it has ever been. Because all data is now available in digital form and can be sifted through with all sorts of advanced statistics/machine learning/etc. There's really no escape from this dragnet, because there's no way to trade without those trades showing up in the data. It's only after suspicious trades are discovered that they start following the money.
In these days of electronic work environment, there are so many digital footprint one left in the trail.
They are almost certainly the kind of folks who planned this out and if there isn't any proof of knowledge, then there just isn't any. But it does seem inconceivable that they would have no knowledge of the event.
Which may get them off the insider trading charge, but opens them up to one hell of a shareholder lawsuit.
The excess capital, if the stock has not recovered, should be given to non profit charities that support victims of identity fraud.
"Of course we were ignorant of the breach, we're really just not on top of things, I mean, look at how we got into this situation, and how we handled it! Does that sound like competence to you? Of course not!"
The HN thread that found another copy:
The first story that I saw breaking this interview, drawing attention to this story before it was wiped out by "user":
I'm reposting this information, there's nothing earth shattering for me in the interview but I smell a coverup (I hope it doesn't sound controversial when I say this, it appears to be that material information has been wiped off the public record during an investigation, and that's a coverup! Not mincing words.) This has hardly been covered at all, so I'm going to mention it again. I figure the story probably isn't going away anytime soon.
I think it's criminal (possibly quite literally) that this information is being suppressed by whoever has taken the original interviews down. It should be a case study, we should all watch it. I want to hear more from Susan Mauldin, but the appearance is they want her to disappear.
I am interested in the stock sales too, but I would like it to be a thing, where we all can learn from what has happened and fix our issues to be better at this kind of thing. There are obviously technical and greedological issues that own some blame, but let's not be hasty and sweep the cultural issues under the rug. (There was a second interview from that day, which to my knowledge has not been recovered yet.)
I'd like to be charitable and say that CISO Susan Mauldin did nothing wrong, but it's hard for me to make that argument seriously without more data and I don't hear anyone calling for her to testify in front of Congress yet. Maybe they'd like us to forget she was ever involved in the company, that just makes me want to know more and it should you too, if you've been following the story (but who could blame you for not knowing, just look what they're doing!)
(USA can chew gum and walk at the same time, but where is the probe for the breach...? 143 million people terrorized and most likely thousands will have their life turned upside down because of it.)